b"                                              EMPLOYMENT AND\n                                              TRAINING ADMINISTRATION\n\nOffice of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n                                              UNEMPLOYMENT INSURANCE SYSTEMS\xe2\x80\x99\n                                              INFORMATION TECHNOLOGY CONTINGENCY\n                                              PLANS NEED IMPROVEMENT\n\n\n\n\n                                                                         Date: March 31, 2009\n                                                                Report Number: 23-09-002-03-315\n\x0cU.S. Department of Labor                                   March 2009\nOffice of Inspector General\nOffice of Audit                                            Unemployment Insurance Systems\xe2\x80\x99\n                                                           Information Technology Contingency Plans\n                                                           Need Improvement\nBRIEFLY\xe2\x80\xa6                                                   WHAT OIG FOUND\nHighlights of Report Number: 23-09-002-03-315, to the\nDeputy Assistant Secretary for Employment and              While ETA encouraged SWAs to follow best practices, it\nTraining.                                                  did not ensure the SWAs\xe2\x80\x99 plans contained best\n                                                           practices, i.e., IT contingency plan elements.\n                                                           Specifically, two SWAs did not have plans and 49 out of\n                                                           the remaining 51 SWAs\xe2\x80\x99 plans did not include elements\nWHY READ THE REPORT                                        determined to be critical to ensure continued availability\nAfter Hurricanes Katrina and Rita devastated the Gulf      of the UI systems.\nCoast in 2005, the Employment and Training\nAdministration (ETA) found the states impacted by the      This situation existed because ETA did not verify SWA\nhurricanes had large disparities in their level of         plan existence, nor did the SWAs provide ETA with\npreparedness in information technology (IT) and            evidentiary verification of their IT contingency plans. In\noperational recovery of the Unemployment Insurance         addition, in some cases, the SWAs did not carry out the\n(UI) program.                                              attestations in their respective grant agreements to\n                                                           maintain plans. While the SWAs annually attest to\nBased on this, the Assistant Secretary requested the       maintaining disaster preparedness plans, ETA did not\nOffice of the Inspector General (OIG) conduct an audit,    conduct specific verification to ensure the validity of the\nas ETA was interested in knowing which states had          SWAs\xe2\x80\x99 self attestations. As a result, ETA relied on\nviable plans to deal with emergencies. In September        inaccurate information from the SWA self-attestations.\n2008, the OIG issued audit report number 23-08-004-\n03-315. This audit identified that while ETA required      WHAT OIG RECOMMENDED\nstate workforce agencies (SWAs) to develop and             We recommended that the Deputy Assistant Secretary\nimplement IT contingency plans as a condition of their     for Employment and Training conduct annual\ngrant agreements, it did not verify that the plans were    verifications of SWAs\xe2\x80\x99 IT contingency plans for\ndeveloped or tested. Specifically, the audit found three   existence and reliability using risk-based approaches\nof the four SWAs reviewed may not be able to recover       that consider the SWAs\xe2\x80\x99 contingency planning maturity\nthe UI systems necessary to maintain operational           and likelihood of disasters.\ncapability in a timely, orderly manner or perform\nessential functions during an emergency or other\n                                                           ETA generally agreed with OIG's recommendation that\nsituation that may disrupt normal operations.\n                                                           ETA\xe2\x80\x99s oversight of state IT contingency planning would\n                                                           be greatly strengthened by implementing an annual\nWe conducted this follow-on audit to assess the IT\n                                                           verification of the SWAs' IT Contingency Plans for\ncontingency plans for the UI Tax and Benefit Systems\n                                                           existence and reliability.\nadministered by all 53 of the nation\xe2\x80\x99s SWAs.\n\nWHY OIG DID THE AUDIT\nThe purpose of our audit was to answer the following\nquestion:\n\n    Has ETA ensured SWA partners establish and\n    maintain required IT contingency plans vital for UI\n    services to continue reliably in the event of a\n    disaster or system interruption?\n\nREAD THE FULL REPORT\nTo view the report, including the scope, methodology,\nand full agency response, go to:\n\nhttp://www.oig.dol.gov/public/reports/oa/2009/23-09-\n002-03-315.pdf\n\x0c                                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nTable of Contents\n\nAssistant Inspector General\xe2\x80\x99s Report ......................................................................... 1\n\nResults In Brief .............................................................................................................. 2\n\nObjective \xe2\x80\x94 Has ETA ensured SWA partners establish and maintain required IT\n            contingency plans vital for UI services to continue reliably in the\n            event of a disaster or system interruption? .......................................... 3\n         Finding \xe2\x80\x94 ETA did not ensure SWAs\xe2\x80\x99 UI Tax and Benefit Systems\xe2\x80\x99 IT\n                   Contingency Plans were reliable. ....................................................... 3\n\nRecommendation ........................................................................................................ 11\n\nExhibits\n         Exhibit 1 Contingency Plan Maturity and Corresponding Risk............................ 15\n         Exhibit 2 Presence of 17 IT Contingency Plan Elements in UI Systems\xe2\x80\x99\n                   Plans ................................................................................................... 17\n         Exhibit 3 Presence of Critical Elements in SWAs' Plans..................................... 21\n\nAppendices\n         Appendix A Background ..................................................................................... 25\n         Appendix B Objective, Scope, Methodology, and Criteria .................................. 29\n         Appendix C Acronyms and Abbreviations .......................................................... 35\n         Appendix D Agency Response to Draft Report .................................................. 37\n\n\n\n\n                                                                                       UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                                           Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n                                     Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nU.S. Department of Labor                  Office of Inspector General\n                                          Washington, D.C. 20210\n\n\n\n\nMarch 31, 2009\n\n                        Assistant Inspector General\xe2\x80\x99s Report\n\n\n\nMr. Douglas F. Small\nDeputy Assistant Secretary for\n   Employment and Training\nU. S. Department of Labor\nFrances Perkins Building\n200 Constitution Avenue, NW\nWashington, DC 20210\n\nAfter Hurricanes Katrina and Rita devastated the Gulf Coast in 2005, the Employment\nand Training Administration (ETA) found the states impacted by the hurricanes had\nlarge disparities in their level of preparedness in information technology (IT) and\noperational recovery of the Unemployment Insurance (UI) program. Based on this, the\nAssistant Secretary requested the Office of Inspector General (OIG) conduct an audit,\nas ETA was interested in knowing which states had viable plans to deal with\nemergencies.\n\nIn September 2008, in response to this request, the OIG issued audit report, No. 23-08-\n004-03-315. The audit identified that while ETA required state workforce agencies\n(SWAs) to develop and implement IT contingency plans as a condition of their grant\nagreements, it did not verify that the plans were developed or tested. Specifically, the\naudit found three of the four SWAs reviewed may not be able to recover the UI systems\nnecessary to maintain operational capability in a timely, orderly manner or perform\nessential functions during an emergency or other situation that may disrupt normal\noperations.\n\nTo assess the viability of IT contingency planning capabilities for Department of Labor\xe2\x80\x99s\n(DOL) UI program nationwide, the OIG performed this follow-on audit which focused on\nanalyzing all SWA documents submitted to OIG as contingency plans for the UI Tax and\nBenefit Systems (UI Systems).\n\nThe audit objective was to answer the following question:\n\n     Has ETA ensured SWA partners establish and maintain required IT contingency\n     plans vital for UI services to continue reliably in the event of a disaster or system\n     interruption?\n\n\n\n                                                                        UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              1                             Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nThe audit covered SWAs\xe2\x80\x99 contingency plans for the UI Systems in all 53 states and\nterritories having UI programs. To achieve the audit objective, from each SWA, we\nobtained their UI system IT contingency plans; other documents purported to be IT\ncontingency plans; or notifications that no such plans existed. We assessed the\ndocumentation received from 51 SWAs - 2 SWAs (NY and NH) responded that no plan\nwas in place - for the presence of elements needed in establishing and maintaining a\nviable IT contingency planning capability, according to the National Institute of\nStandards and Technology (NIST) Special Publication (SP) 800-34, Contingency\nPlanning for Information Technology Systems.\n\nRESULTS IN BRIEF\n\nWhile ETA encouraged SWAs to follow best practices, it did not ensure the SWAs\xe2\x80\x99\nplans contained best practices, i.e., IT contingency plan elements. Although many\nSWAs had plans, the plans did not contain all the elements needed to ensure the\ncontinued, reliable operation of UI services in the event of a disaster or system\ninterruption. Specifically, 49 out of 51 plans did not include elements determined to be\ncritical to ensure continued availability of the UI systems.\n\nThis situation existed because ETA did not verify SWA plan existence, nor did the\nSWAs provide ETA with evidentiary verification of their IT contingency plans. In\naddition, in some cases, the SWAs did not carry out the attestations in their respective\ngrant agreements to maintain plans. While the SWAs annually attest to maintaining\ndisaster preparedness plans, ETA did not conduct specific verification to ensure the\nvalidity of the SWAs\xe2\x80\x99 self attestations. As a result, ETA relied on inaccurate information\nfrom the SWA self-attestations.\n\nWithout adequate IT contingency plans, critical support services provided by these UI\nsystems may not be available during a disaster or disruption. This may result in the\ninability to provide benefits to individuals who rely upon UI for their daily sustenance\nduring periods of unemployment.\n\nAGENCY RESPONSE\n\nETA generally agreed with OIG's recommendation that ETA\xe2\x80\x99s oversight of state IT\ncontingency planning would be greatly strengthened by implementing an annual\nverification of the SWAs' IT Contingency Plans for existence and reliability using risk-\nbased approaches that consider the SWAs' contingency planning maturity and\nlikelihood of disasters. In addition, ETA provided funding estimates needed to\nimplement the OIG recommendation. The response is provided in full in Appendix D.\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             2                    Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nOIG CONCLUSION\n\nETA management shares our view that effective state information technology (IT)\ncontingency plans are vitally important to ensure that eligible unemployed workers\nreceive unemployment insurance (UI) payments following IT failures caused by\ndisasters or other disruption of normal operations. We feel the implementation of our\nrecommendation will greatly enhance the UI Program and the accountability at the\nFederal level.\n\nRESULTS AND FINDINGS\n\nObjective \xe2\x80\x94 Has ETA ensured SWA partners establish and maintain required IT\n            contingency plans vital for UI services to continue reliably in the\n            event of a disaster or system interruption?\n\nNo, ETA did not ensure SWA partners established and maintained required IT\ncontingency plans.\n\nAlthough ETA took steps to encourage the SWAs to implement IT contingency plans\nthat meet recognized best practices, the agency did not ensure the SWAs had plans in\nplace which included elements vital for UI services to continue in the event of a disaster\nor system interruption.\n\nFinding \xe2\x80\x94 ETA did not ensure SWAs\xe2\x80\x99 UI Tax and Benefit Systems\xe2\x80\x99 IT Contingency\n         Plans were reliable.\n\nMany SWAs did not maintain IT contingency plans for the UI Systems that follow best\npractices encouraged by ETA. Best practices are deemed necessary to allow for\nreliable continued operation of UI services in the event of a disaster or system\ninterruption. ETA has strongly encouraged the SWAs to utilize NIST IT security\ndocuments and guidelines, including NIST SP 800-34, since 2004, when it issued UI\nProgram Letter (UIPL) Number 24-04: Unemployment Insurance Information\nTechnology Security. We found many UI Systems' IT contingency plans did not contain\nelements we determined to be critical to reliably implement the contingency plan and\nmaintain the information systems\xe2\x80\x99 operations in the event of a disaster or system\ninterruption. While all SWAs are expected to have viable IT contingency plans, it is\nimperative that those SWAs prone to a higher frequency of disasters make better\npreparations, starting with maintaining complete and well-documented IT contingency\nplans. (See Exhibit 1 for a plot of contingency planning maturity and corresponding risk.)\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             3                    Report No. 23-09-002-03-315\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nNIST SP 800-34 states: \xe2\x80\x9cIT contingency plan development is a critical step in the\nprocess of implementing a comprehensive contingency planning program.\xe2\x80\x9d\n\nNIST also iterates that:\n\n       Information technology (IT) and automated information systems are vital\n       elements in most business processes. Because these IT resources are so\n       essential to an organization\xe2\x80\x99s success, it is critical that the services\n       provided by these systems are able to operate effectively without\n       excessive interruption. Contingency planning supports this requirement by\n       establishing thorough plans and procedures and technical measures that\n       can enable a system to be recovered quickly and effectively following a\n       service disruption or disaster.\n\nUI Systems' Contingency Plans Absent of Critical Elements\n\nWe evaluated the submissions from the 51 SWAs for the existence of plan elements\nbased on best practices encouraged for use by ETA and found in NIST SP 800-34. For\neach of the 17 elements outlined in the chart below, we determined if the element was\npresent in the documentation submitted. (See Exhibit 2 for a complete listing of the 17\nelements\xe2\x80\x99 presence across the 51 SWAs\xe2\x80\x99 plans.) We focused on the plans\xe2\x80\x99 inclusion of\nthe following 4 elements which, in our judgment, are critical to ensuring a plan is\nactionable based on their role in the plan: Line of Succession, Detailed Recovery\nProcedures, Reconstitution Phase Procedures, and Contact Information of Contingency\nPlan Teams.\n\n\n\n\n                                                             UI Systems\xe2\x80\x99 IT Contingency Plans\n                                            4                    Report No. 23-09-002-03-315\n\x0c                                              U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                           List of 17 Plan Elements\n--                Purpose                                 --       Damage Assessment Procedures\n--                Applicability                           --       Detailed Recovery Procedures*\n--                Scope                                   --       Reconstitution Phase Procedures*\n--                Record of Changes                       --       Contact information of CP teams*\n--                System Description                      --       Vendor contact information\n--                Line of Succession*                     --       Checklists for system recovery\n--                Responsibilities                        --       Equip/System requirements lists\n-- Overall, the SWAs\xe2\x80\x99  plans\n                  Activation    did not all contain the IT-- contingency\n                             Criteria                                       plan elements\n                                                                   Description/Direction       outlinedsites\n                                                                                         to alternative  in\n-- NIST SP 800-34.    The magnitude\n                  Documented               of Procedures\n                                Notification  the documentation problems included:\n     * These critical elements are discussed further in the report, including examples of problems found.\n\n\n\n  Absence of the Four Critical Elements - We found many UI Systems' IT contingency\n  plans did not contain all of the four critical elements to reliably implement the\n  contingency plan and maintain the information systems\xe2\x80\x99 operations in the event of a\n  disaster or system interruption. Specifically, of the 51 SWAs that provided planning\n  documents, 49 out of 51 did not contain all 4 critical elements. Furthermore, 32 of the\n  51 plans were lacking in all 4 critical areas. Only two SWAs, Massachusetts and South\n  Dakota, had plans containing all four critical elements. Exhibit 2 shows the distribution\n  of the 17 elements throughout all 51 SWAs.\n\n  Although many SWAs did not have plans with all the critical elements, there were SWAs\n  that showed signs of attempting to put forth a qualified plan in accordance with the best\n  practices encouraged by ETA. For example, 3 SWAs had plans with 75 percent of the\n  17 elements (13 or more). Exhibit 3 provides a bar graph with a visual representation of\n  the existence of the critical planning elements across the 51 SWAs.\n\n  With the understanding these four critical elements should be in place for a contingency\n  plan to be viable during a time of disaster, the following assessment results reveal the\n  magnitude of the SWAs\xe2\x80\x99 problems across the four critical areas.\n\n                                           Line of Succession\n\n  The line, or order, of succession defines who assumes responsibility for IT contingency\n  plan execution in the event the highest authority is unavailable or unable to do so.\n  Twenty-nine of 51 SWA submissions did not include a line of succession.\n  Twelve SWAs included a partial line of succession; they were missing a full description.\n\n  The severity of this condition is exacerbated when related to the frequency of disasters\n  declared in each state. The Federal Emergency Management Agency (FEMA) tracks\n  and reports the frequency of disasters declared in each state annually. FEMA ranks the\n  states by total number of disasters, which we used for purposes of this audit. (See\n  Appendix B: Methodology, for complete ranking.) Of FEMA\xe2\x80\x99s top 25 highest-risk SWAs:\n  11 had contingency plans that were missing a line of succession; 1 responded it did not\n\n\n                                                                          UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                      5                       Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nhave a contingency plan; and 7 had contingency plans that included a partial line of\nsuccession. This left only 6 of the highest-risk SWAs with plans that included this critical\nelement.\n\nExamples of the types of problems related to this critical element include:\n\n   \xe2\x80\xa2   The third highest-risk SWA\xe2\x80\x99s plan omitted the line of succession element. Other\n       documentation from this SWA contained team contact information with team\n       leader alternatives but not a fully detailed line of succession.\n   \xe2\x80\xa2   The sixth highest-risk SWA\xe2\x80\x99s plan had not been updated since 2004 and it did\n       not contain any line of succession information.\n   \xe2\x80\xa2   The seventh highest-risk SWA submitted a document which contained an\n       appendix with contact information, and organizational charts, but did not address\n       the line of succession that would be effective during an emergency.\n\nNIST SP 800-34 states:\n\n       The order of succession will define who assumes responsibility for\n       contingency plan execution in the event that the highest authority (usually\n       starting with the Chief Information Officer [CIO]) is unavailable or unable to\n       do so.\n\nNIST SP 800-34 also iterates that:\n\n       The order of succession identifies personnel responsible to assume\n       authority for executing the contingency plan in the event the designated\n       person is unavailable or unable to do so.\n\nThe line of succession is a critical element of the contingency plan, as it helps the SWA\navoid confusion during a disaster or disruption by specifying who is responsible for the\nplan in the event personnel are incapacitated. As NIST SP 800-34 notes:\n\n       The order of succession will define who assumes responsibility \xe2\x80\xa6 if the\n       CIO has been injured or killed, the Deputy CIO will assume plan\n       responsibility; if the CIO and Deputy CIO have been injured or killed, the\n       Information Systems Security Manager will assume plan responsibility.\n\n                             Detailed Recovery Procedures\n\nDetailed recovery procedures are critical to allow personnel to restore the UI System or\nsystem components in an approved, step-by-step, manner. Twenty-two of 51 SWA\nsubmissions did not have detailed recovery procedures for their respective UI systems.\nAnother 20 SWAs\xe2\x80\x99 plans had some recovery procedures, but were missing the full\ndetails needed to timely resume operations.\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             6                    Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nOf FEMA\xe2\x80\x99s top 25 highest-risk SWAs: 9 had contingency plans that were\nmissing recovery procedures; 1 responded it did not have a contingency plan, and 9\nhad contingency plans containing only partial procedures to recover the respective UI\nSystems. This left only 6 of the highest-risk SWAs with plans that included this critical\nelement.\n\nThe following examples highlight the concern further:\n\n   \xe2\x80\xa2   The sixth highest-risk SWA did not have specific recovery procedures relating to\n       its client server operations, i.e., its Windows server recovery procedures included\n       a list of system attributes such as Operating System, Host Name, and amount of\n       memory; however, no written instructions detailing specific recovery steps for the\n       technology listed in the procedure was included.\n   \xe2\x80\xa2   The ninth highest-risk SWA submitted eight documents, none of which contained\n       detailed recovery procedures. One document included high-level descriptions of\n       recovery steps, and another contained a reference to a detailed recovery\n       procedures appendix that was not part of the submission package.\n   \xe2\x80\xa2   The fourteenth highest-risk SWA submitted three documents, none of which\n       qualified as an IT contingency plan or contained detailed recovery procedures.\n       One document was a business analysis from 2004; another document was a\n       brochure for emergency teams of all types and not relevant to IT; and the third\n       document was a traditional COOP which did not contain the necessary detailed\n       recovery procedures to ensure UI system availability.\n\nRecovery procedures are a critical element of the contingency plan. As NIST 800-34\nnotes, best practices include:\n\n       Recovery phase activities that focus on contingency measures to execute\n       temporary IT processing capabilities, repair damage to the original\n       system, and restore operational capabilities at the original or new facility.\n       At the completion of the Recovery Phase, the IT system will be operational\n       and performing the functions designated in the plan.\n\n                           Reconstitution Phase Procedures\n\nReconstitution phase procedures allow an SWA to return to normal operations of\nproviding UI benefits after the disaster or disruption has been mitigated. Forty-three of\n51 SWA submissions did not include reconstitution phase procedures. Five SWAs had\nsome reconstitution procedures, but were missing several necessary procedures that\nallow for timely system recovery.\n\nOf FEMA\xe2\x80\x99s top 25 highest-risk SWAs: 21 had contingency plans that were missing\nreconstitution phase procedures; 1 responded it did not have a contingency plan, and 2\nhad contingency plans containing only partial reconstitution information. This left only 1\nof the highest-risk SWAs with plans that included this critical element.\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             7                    Report No. 23-09-002-03-315\n\x0c                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nThe following examples demonstrate the SWAs\xe2\x80\x99 vulnerability should a disaster occur:\n\n   \xe2\x80\xa2   Four of the five highest-risk SWAs did not have plans providing details by which\n       an individual could perform reconstitution phase procedures.\n   \xe2\x80\xa2   The third highest-risk SWA submitted two documents - one contained\n       reconstitution procedures at only a very high level and the other provided only a\n       narrative description of what reconstitution procedures would be necessary.\n   \xe2\x80\xa2   The sixth highest-risk SWA provided documentation that specifically outlined the\n       need to further develop a detailed reconstitution plan as well as the requirements\n       of this document.\n\nReconstitution phase procedures are an essential part of an IT contingency plan as they\nallow an SWA to return to normal operations of providing UI benefits after the disaster\nor disruption has been mitigated. An SWA cannot continue operations at an alternate\nsite for an indefinite period and, without plans to restore normal operations, the SWA\nmay become unable to function. As NIST SP 800-34 notes:\n\n       In the Reconstitution Phase, recovery activities are terminated and normal\n       operations are transferred back to the organization\xe2\x80\x99s facility. If the original\n       facility is unrecoverable, the activities in this phase can also be applied to\n       preparing a new facility to support system processing requirements.\n\n                   Contact Information of Contingency Plan Teams\n\nContact information is critical because personnel involved in contingency plan activation\nmust be able to be notified when plan activation occurs. Twenty-one of 51 SWA\nsubmissions did not list any contact information. Eighteen SWAs list some contact\ninformation, but were missing complete details to contact the contingency plan teams.\n\nOf FEMA\xe2\x80\x99s top 25 highest-risk SWAs: 4 had contingency plans that were missing\ncontact information, 1 responded it did not have a contingency plan, and 11 had plans\ncontaining only partial contact details. This left only nine of the highest-risk SWAs with\nplans that included this critical element.\n\nThe following examples bring this problem into even greater focus:\n\n   \xe2\x80\xa2   The third highest-risk SWA\xe2\x80\x99s plan listed five departments, the contact and one\n       phone number. It did not include alternate numbers or manners of\n       communicating with these key contacts.\n   \xe2\x80\xa2   The seventh highest-risk SWA submitted three documents, none of which\n       included adequate contact information \xe2\x80\x94 one was a four-page document\n       containing narrative descriptions of what recovery efforts would occur and\n       contact names without including phone numbers for management personnel and\n       personnel at the SWA field offices.\n\n\n\n\n                                                               UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              8                    Report No. 23-09-002-03-315\n\x0c                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n   \xe2\x80\xa2   The fifteenth highest-risk SWA submitted a narrative description of its UI\n       functions and staffing needs during a contingency, but provided no contact\n       information.\n\nContact information for the contingency plan team is a critical element of the\ncontingency plan. As NIST 800-34 notes:\n\n       Personnel to be notified should be clearly identified in the contact lists\n       appended to the plan. This list should identify personnel by their team\n       position, name, and contact information (e.g., home, work, and pager\n       numbers, e-mail addresses, and home addresses).\n\n       The contact lists generally contain sensitive information and should be\n       marked and stored appropriately and disseminated only to those requiring\n       access. The lists should be dated and frequently reviewed to ensure\n       names, positions, and contact information are up to date.\n\n                            \xee\xa0\xba\xee\xa0\xba\xee\xa0\xba       \xee\xa0\xba\xee\xa0\xba\xee\xa0\xba         \xee\xa0\xba\xee\xa0\xba\xee\xa0\xba\n\nThe SWA attestations of a disaster recovery capability present risks to the Federal/State\nUI program and operations because they may misrepresent the SWAs\xe2\x80\x99 actual level of\npreparedness to ETA management should a disaster or system interruption\noccur. These risks need to be considered by ETA in assessing how best to improve the\nSWAs\xe2\x80\x99 contingency planning efforts. ETA is responsible to ensure the Federal funding\nprovided to the SWAs via the annual UI funding agreements is expended in accordance\nwith the grant agreement that require disaster recovery capability. For agencies to\nconsider and manage risk, the Office of Management and Budget (OMB) issued\nCircular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, Introduction, (A-123),\nwhich describes agency managers\xe2\x80\x99 and staff\xe2\x80\x99s responsibilities for efficient use of\nresources as:\n\n       The proper stewardship of Federal resources is a fundamental\n       responsibility of agency managers and staff. Federal employees must\n       ensure that government resources are used efficiently and effectively to\n       achieve intended program results. Resources must be used consistent\n       with agency mission, in compliance with law and regulation, and with\n       minimal potential for waste, fraud, and mismanagement.\n\nA-123 further identifies that managers should manage risk when implementing and\nmonitoring internal controls:\n\n       Internal control guarantees neither the success of agency programs, nor\n       the absence of waste, fraud, and mismanagement, but is a means of\n       managing the risk associated with Federal programs and operations.\n       Managers should define the control environment (e.g., programs,\n       operations, or financial reporting) and then perform risk assessments to\n\n\n                                                               UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              9                    Report No. 23-09-002-03-315\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n      identify the most significant areas within that environment in which to\n      place or enhance internal control.\n\nWe found many plans lacking substance in their content because ETA did not verify\nSWA plan existence nor did the SWAs provide ETA with evidentiary verification of their\nIT contingency plans. Furthermore, two SWAs did not even have plans, yet they\nattested to ETA that plans existed by signing their annual funding agreements which\ncontained this assurance of a disaster recovery capability. ETA provides administrative\nfunding to the SWAs via annual UI Funding agreements (i.e. grant agreements), which\ncontain requirements of the SWAs. Each SWA must attest to meeting the requirements\noutlined in the assurance statements annually, via signature, in order to receive Federal\ngrant funding for the administration of the SWA\xe2\x80\x99s UI program.\n\nIn preparation for the Year 2000 (Y2K), ETA required evidence from each SWA that the\nUI Systems\xe2\x80\x99 IT contingency plans had been verified and validated by an independent\nentity and tested. In the eight years since Y2K, ETA has relied upon assurances\nprovided by SWAs as a part of their UI administrative grant agreement that they have\nplans in place. ETA has taken a leadership role with the SWAs in promoting strategies\nto minimize service disruptions, operations, and services to UI beneficiaries. However,\nwithout requiring specific verification and validation of the plans, ETA\xe2\x80\x99s leadership\nactivities have not been entirely effective. By not requiring the SWAs to submit\nverification of their IT contingency plans, ETA could not ensure SWAs' plans existed or\ncontained all critical elements. The focus on verification of IT contingency plans that\nexisted eight years ago has waned in the interim, which has lead to our identified\ncondition of no ETA verification of IT contingency plan existence. The result was ETA\nrelying on inaccurate information from SWA self-attestations.\n\nIn September 2008 we issued audit report no. 23-08-004-03-315 containing\nrecommendations for the Assistant Secretary for Employment and Training to enact a\nmonitoring and review process to verify SWAs develop and test IT contingency plans\nnecessary to sustain the UI program; and identify and address any weaknesses found\nin IT contingency plans. Since our issuance of the report, ETA has developed plans to\nimplement the report\xe2\x80\x99s recommendations, which we consider to have been resolved.\nETA has not, however, laid out a specific plan to conduct risk-based verification of IT\ncontingency plan existence for the UI systems.\n\nWithout adequate IT contingency plans for the UI Systems, the critical services provided\nby these systems may not be available. A disaster or disruption that strikes an SWA\xe2\x80\x99s\nUI System could potentially result in the inability to provide benefits to individuals who\nrely upon it for their daily sustenance.\n\nAccording to one SWA's Business Impact Analysis for the UI program:\n\n      UI offers the first line of defense against the ripple effects of\n      unemployment by providing payments to unemployed workers to ensure\n\n\n\n                                                             UI Systems\xe2\x80\x99 IT Contingency Plans\n                                            10                   Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n       that at least a proportion of life\xe2\x80\x99s necessities can be met on a week-to-\n       week basis while searching for work.\n\nWith the February 2009 national unemployment rate at 8.1 percent \xe2\x80\x94 12.5 million\nindividuals, the highest level in 26 years \xe2\x80\x94 the importance of IT contingency planning\nby SWAs to provide uninterrupted UI benefits has been brought to the forefront. A\ndisaster or disruption that strikes an SWA\xe2\x80\x99s UI System could potentially result in the\nSWA's inability to provide benefits to individuals who depend upon it during an\neconomic hardship. If even a small percentage of unemployed individuals were unable\nto access their UI benefits, the consequences could put that person and/or their family\nin dire straits.\n\nIn summary, reliable SWA contingency plans for the UI program become even more\nimportant in a time of high unemployment because of the high resource demands on the\nUI program. An SWA\xe2\x80\x99s UI System must not only be able to survive a disaster or\ndisruption but also a surge in usage. Recently, several SWAs experienced problems\nranging from website outages to phone line overloads due to heavy usage. If this\nscenario were to occur for a prolonged period, and an SWA did not have a reliable IT\ncontingency plan in place to compensate, benefits may be interrupted as well.\n\n\n\nRecommendation\n\nWe recommend the Deputy Assistant Secretary for Employment and Training:\n\n   1. Conduct annual verification of SWAs\xe2\x80\x99 IT contingency plans for existence and\n      reliability using risk-based approaches that consider the SWAs\xe2\x80\x99 contingency\n      planning maturity and likelihood of disasters.\n\n\n\n\nElliot P. Lewis\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                            11                    Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n               12                    Report No. 23-09-002-03-315\n\x0c           U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nExhibits\n\n\n\n\n                                   UI Systems\xe2\x80\x99 IT Contingency Plans\n                 13                    Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n               14                    Report No. 23-09-002-03-315\n\x0c                                                                                                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                                                                                       Exhibit 1\n                                                                    Contingency Plan Maturity and Corresponding Risk\n                     55\n High Risk\n\n\n\n\n                                                                     TX\n                                                               CA\n                                                                                                 FL\n                     50                                                                                  OK\n                           NY\n                                                        LA\n                           KY                           AL\n                     45                                                                          MO\n                           AR                                                                            IL\n                                                                                          MS\n                                                  OH\n                     40                                 PA\n\n                           MN                                 WA            WV\n                     35\n\n                                      KS     NE         TN    VA            IA\n      Risk Ranking\n\n\n\n\n                     30         IN\n                                                                                                                     NC\n                                                         ND\n                                                  ME\n                                GA\n                     25           AK         WI\n                           VT                                                                           SD\n                             MI OR\n                     20         NJ\n                                HI\n                            NH\n                     15       PR\n                              ID             NM                                                                      MA\n                           AZ\n                                  MT                                        MD\n                     10    SC                                                                                                        NV\n                                                              CO\n                               VI\n                                 CT\n Low Risk\n\n\n\n\n                     5\n                                DE\n                               DC\n                               WY                 RI    UT\n                     0\n                          0%           10%        20%        30%      40%          50%         60%            70%        80%        90%        100%\n                                                                      Percent of All Elements Present\n                          Low                                                                                                     High Maturitiy\n\n\nFor each state, the scatter plot displays the risk of a disaster occurring in that state (based on frequency of disasters\ndeclared) along with the corresponding percentage of IT contingency plan elements present in the SWA submissions.\nThe higher the percentage of elements documented reflects the greater the plan\xe2\x80\x99s maturity and reliability. The data\nincludes plots for each of the 53 UI jurisdictions, including the two SWAs (NY and NH) that represented they did not have\na contingency plan.\n\n\n\n\n                                                                                                                                                       UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                                                                    15                                     Report No. 23-09-002-03-315\n\x0c                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                 16                               Report No. 23-09-002-03-315\n\x0c                                                                                                           U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                                                                           Exhibit 2\n                                                                                                                                             1\n                                                  Presence of 17 IT Contingency Plan Elements in UI Systems\xe2\x80\x99 Plans\n\n                                                                                                State Workforce Authorities\n                Elements                     AL    AK   AZ   AR   CA   CO   CT   DC   DE   FL   GA    HI    ID   IL   IN   IA   KS   KY     LA   ME   MD   MA   MI   MN   MS     MO\nPurpose                                                                                    X                     X                               X    X    X                 X   X\nApplicability                                                                              X                     X                               X    X    X                 X   X\nScope                                                                                      X                     X                               X    X    X                 X   X\nRecord of Changes                                                                                                                                          X                 X\nSystem Description                                                                                               X              X                          X                 X   X\nLine of Succession                                                X    X                                                   X                               X                     X\nResponsibilities                                                  X    X                   X                     X         X                X         X    X                 X   X\nActivation Criteria                                               X                        X                     X         X                          X    X\nDocumented Notification Procedures                                X    X                   X                     X                          X         X    X                 X\nDamage Assessment Procedures                                      X    X                   X                               X                X              X                 X\nDetailed Recovery Procedures                                                               X                     X                                         X\nReconstitution Phase Procedures                                                                                                                            X\nContact information of CP teams              X                                                                   X         X                               X                 X   X\nVendor contact information                   X                         X                   X                     X                                                               X\nChecklists for system recovery               X                                                                                                                                   X\nEquip/System requirements lists              X                    X                        X                     X         X                                                     X\nDescription/Direction to alternative sites         X                                                                       X                X         X\n\n\n\n\n           1\n            An X mark in the chart indicates the element was present in the SWA\xe2\x80\x99s planning documents. For purposes of this analysis, a plan that contained parts or the\n           element, i.e. received \xe2\x80\x9cpartial\xe2\x80\x9d in the analysis, was not given an X for present, as the element was found deficient in some manner.\n\n                                                                                                                                          UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                                                 17                                           Report No. 23-09-002-03-315\n\x0c                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                 18                               Report No. 23-09-002-03-315\n\x0c                                                                                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                                                                            Exhibit 2\n                                        Presence of 17 IT Contingency Plan Elements in UI Systems\xe2\x80\x99 Plans (continued)\n\n                                                                                               State Workforce Authorities\n                Elements                     MT   NE   NV   NJ   NM   NC   ND   OH   OK   OR     PA   PR    RI   SC    SD    TN   TX    UT   VA   VI   VT    WA   WV    WI   WY\nPurpose                                           X    X         X    X              X                                  X         X          X                X\nApplicability                                          X              X              X                                            X                           X   X\nScope                                             X    X              X                                                 X    X               X                X\nRecord of Changes                                      X                                                                X\nSystem Description                           X         X                             X                                                   X\nLine of Succession                                     X                                         X                      X                    X                X\nResponsibilities                                       X         X    X    X         X                                  X    X    X\nActivation Criteria                                    X              X                          X                      X         X      X   X                X   X\nDocumented Notification Procedures                     X              X              X           X                      X    X    X      X                        X\nDamage Assessment Procedures                           X              X              X                                  X\nDetailed Recovery Procedures                           X              X              X                                  X                    X                    X\nReconstitution Phase Procedures                                       X                                                 X\nContact information of CP teams                        X                   X    X    X                                  X                                         X\nVendor contact information                             X              X    X         X                      X                            X                        X\nChecklists for system recovery                         X              X         X                                                 X                                     X\nEquip/System requirements lists                        X              X    X    X    X           X          X                X                                    X\nDescription/Direction to alternative sites                            X              X                      X                                                           X\n\n\n\n\n                                                                                                                                       UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                                                19                                         Report No. 23-09-002-03-315\n\x0c                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                 20                               Report No. 23-09-002-03-315\n\x0c                                                                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                                                Exhibit 3\n                                               Presence of Critical Elements in SWAs' Plans\n\n\n                                             Presence of Critical Elements in SWA's Plans\n\n                 50\n\n\n                 45\n\n\n                 40\n\n\n                 35\n\n\n                 30\nNumber of SWAs\n\n\n\n\n                                                                                                                                Yes\n                 25                                                                                                             No\n                                                                                                                                Partial\n\n                 20\n\n\n                 15\n\n\n                 10\n\n\n                 5\n\n\n                 0\n                      Line of Succession   Detailed Recovery Procedures   Reconstitution Phase      Contact information of\n                                                                              Procedures          Contingency Planning teams\n\n\n\n                                                                                                               UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                               21                                  Report No. 23-09-002-03-315\n\x0c                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                 22                               Report No. 23-09-002-03-315\n\x0c             U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nAppendices\n\n\n\n\n                                     UI Systems\xe2\x80\x99 IT Contingency Plans\n                     23                  Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n                 24                  Report No. 23-09-002-03-315\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                              Appendix A\nBackground\n\nUI Program Background\n\nIn 1935, in order to confront the economic woes in the United States caused by massive\njob losses during the Great Depression, the Federal-State UI program was created to\nhelp out-of-work individuals, businesses, and the nation's economy as a whole. The\npurpose of the program is to provide aid to individuals who are unemployed due to\ncircumstances outside of their control.\n\nThe UI program, a Federal-State partnership, is DOL\xe2\x80\x99s largest income-maintenance\nprogram. The primary law that established the Federal-State UI partnership is the\nSocial Security Act of 1935. In accordance with Title III, Section 302, of the Social\nSecurity Act, which authorizes the Secretary of Labor to provide funds to administer the\nUI program, and Sections 303 (a) (8) and (9), which govern the expenditure of those\nfunds, the Secretary of Labor has a responsibility to ensure the funds are appropriately\napproved for reporting to the Secretary of the Treasury.\n\nWhile Federal law determines the framework of the program, benefits for individuals are\ndependent on state law and administered by the SWAs. The Federal government is\ncharged with collecting taxes; distributing administrative funding to the states;\nmaintaining responsibility for the Unemployment Trust Fund; setting and tracking\nperformance measures; monitoring compliance with both Federal and state\nregulations; and creating policy nationwide for administering the program. The SWAs\nare charged with constructing policy and procedures in accordance with Federal criteria;\nestablishing and collecting state taxes; validating claims and paying them out when\nacceptable; and running the program according to existing criteria.\n\nETA Oversight of UI Program\n\nThe Secretary of Labor oversees the program through ETA, which oversees the UI\nprogram. ETA provides administrative funding to the SWAs via annual UI Funding\nagreements (i.e. grant agreements), which contain requirements of the SWAs.\n\nSome of the requirements of the grant agreement are included in the assurances that\neach SWA must annually attest to via signature in order to receive annual Federal grant\nfunding for the administration of the SWA UI program. In order for the Secretary of\nLabor to ensure that SWAs have adequate disaster-recovery capabilities, the grant\nagreement between the DOL and each SWA contains an assurance of disaster-\nrecovery capability.\n\nThe \xe2\x80\x9cAssurance of Disaster Recovery Capability\xe2\x80\x9d (Assurance H) is explained in more\ndetail in Employment and Training Handbook No. 336, 18th Edition, Unemployment\nInsurance State Quality Service Plan (SQSP) Planning and Reporting Guidelines. The\nhandbook details that \xe2\x80\x9cThe state assures that it will maintain a Disaster Recovery Plan.\xe2\x80\x9d\n\n\n                                                             UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             25                  Report No. 23-09-002-03-315\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nIT contingency planning is an essential element of a disaster-recovery capability.\nProper contingency planning ensures the continued availability of an information system\nin the event of a disruption due to a disaster or other system interruption. The Secretary\nrequires the SWAs to attest to this capability in order to reduce the risk of UI program\nunavailability.\n\nETA has strongly encouraged the SWAs to utilize NIST IT security documents and\nguidelines, including NIST SP 800-34, since 2004, when it issued UIPL Number 24-04:\nUnemployment Insurance Information Technology Security. This guidance provided the\nSWAs with specific information on the NIST IT security guidelines and a software tool to\nconduct a security self-assessment of UI computer systems. In accordance with NIST\nSP 800-34, proper IT contingency planning can assist in maintaining the continued\navailability of an information system in the event of disaster or other system disruption:\n\n      IT systems are vulnerable to a variety of disruptions, ranging from mild\n      (e.g., short-term power outage, disk drive failure) to severe (e.g.,\n      equipment destruction, fire). Many vulnerabilities may be minimized or\n      eliminated through technical, management, or operational solutions as\n      part of the organization\xe2\x80\x99s risk management effort ... Contingency planning\n      is designed to mitigate the risk of system and service unavailability by\n      focusing on effective and efficient recovery solutions.\n\nAudit Background\n\nAfter Hurricanes Katrina and Rita devastated the Gulf Coast in 2005, ETA found the\nstates impacted by the hurricanes had large disparities in their level of preparedness in\nIT and operational recovery of the UI program. Based on this, the Assistant Secretary\nrequested the OIG conduct an audit, as ETA was interested in knowing which states\nhad viable plans to deal with emergencies. In response to this request, the OIG\nperformed a follow-on audit. The previous audit (OIG audit report no. 23-08-004-03-315)\nassessed the level of preparedness at four high-risk SWAs and ETA\xe2\x80\x99s related\nmonitoring and oversight of the SWAs\xe2\x80\x99 IT contingency planning efforts. This report is\navailable for view on the OIG\xe2\x80\x99s public website at:\nhttp://www.oig.dol.gov/public/reports/oa/2008/23-08-004-03-315.pdf.\n\nThe previous audit included OIG judgmentally selecting a sample of four SWAs, from a\nuniverse of 53, for detailed examination. The sampled SWAs were selected from a list\nof states determined to be high-risk based on historical data regarding frequency of\ndisasters declared in each state from FEMA.\n\nPursuant to the audit, ETA requested all 53 UI Systems\xe2\x80\x99 IT contingency plans for the\nOIG\xe2\x80\x99s review. The auditors received 51 plans, with 2 SWAs responding that they did\nnot have a plan at the time of the request. Because of time and scope limitations, the\naudit focused on the four high-risk SWAs where the auditors performed on-site fieldwork\nto assess the SWAs' UI systems\xe2\x80\x99 IT contingency planning controls.\n\n\n                                                             UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             26                  Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nThe audit concluded that ETA required the SWAs to develop and implement disaster-\nrecovery plans as a condition of their grant agreements, but does not verify that the\nplans are developed, tested, or meet accepted practices. The audit showed that three of\nfour SWAs audited may not be able to recover the UI Systems necessary to maintain\noperational capability in a timely, orderly manner or perform essential functions during\nan emergency or other situation that may disrupt normal operations. The OIG\nrecommended the Assistant Secretary for Employment and Training enact a monitoring\nand review process to verify SWAs develop and test IT contingency plans necessary to\nsustain the UI program; and identify and address any weaknesses found in IT\ncontingency plans. The Deputy Assistant Secretary for Employment and Training\nagreed with the recommendations.\n\nIn order to get a full picture of the degree of reliability and maturity of contingency\nplanning across all UI jurisdictions, the OIG performed the follow-on audit to assess all\nUI jurisdictions\xe2\x80\x99 IT contingency plans.\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              27                  Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n                 28                  Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                Appendix B\nObjective, Scope, Methodology, and Criteria\n\nObjective\n\nOur audit was designed with the following overall objective:\n   Has ETA ensured SWA partners establish and maintain required IT contingency\n   plans vital for UI services to continue reliably in the event of a disaster or system\n   interruption?\n\nScope\n\nOur audit scope comprised an audit universe of 53 UI jurisdictions, including 50 states,\nthe District of Columbia, Virgin Islands, and Puerto Rico. Of the 53 UI jurisdictions, 51\nSWAs provided copies of their IT contingency plans or other documents purported to be\nIT contingency plans for our review. Two jurisdictions, New York and New Hampshire,\nnotified us that they did not have IT contingency plans at the time of our request.\n\nA performance audit includes gaining an understanding of internal controls considered\nsignificant to the audit objectives and testing compliance with significant laws,\nregulations, and other compliance requirements. In order to plan the audit, we\nconsidered whether internal controls significant to the audit were properly designed and\nplaced in operation. However, we did not assess overall internal controls.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nMethodology\n\nIn FY 2008, the OIG conducted an audit to determine if ETA provided sufficient\noversight of SWA IT contingency planning for the UI program in order to minimize\nservice disruption in the event of a disaster or other situation that may disrupt normal\noperations. The methodology for achieving that audit included examining contingency\nplans in place at four SWAs located in CA, TX, NY, and LA. We also reviewed ETA\noversight activities in ETA ROs and HQ. We tested to determine if the SWAs had\nadequate IT contingency plans in place to support critical UI program functions in the\nevent of a disaster or service disruption to the IT supporting the UI program. We\nselected the sample of 4 SWAs, from a universe of 53, for detailed examination. The\nsample states were judgmentally selected from a list of SWAs determined to be high-\nrisk based on historical data and professional judgment regarding frequency of disasters\ndeclared in each state.\n\n\n                                                               UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              29                   Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nFor the current, follow-on audit, we assessed the quality of the responses received from\nthe 51 SWAs by conducting an examination of the elements that comprise IT\ncontingency plan development according to NIST Special Publication 800-34,\nContingency Planning for Information Technology Systems.\n\nIn planning and performing the audit, we considered ETA\xe2\x80\x99s internal controls as identified\nin the previous audit, which we updated during this follow-on audit. Specifically, in order\nto assess ETA\xe2\x80\x99s oversight of contingency planning in the SWAs, we conducted\ninterviews and documentation analysis at the ETA National Office to assess the grant\nadministration and monitoring activities conducted by ETA in support of the Federal-\nState UI partnership. We reviewed the Federal-State UI grant agreement and the level\nof guidance, review, and monitoring done at the Federal level. Our review of ETA\xe2\x80\x99s\ncontrols lead us to conclude that while the SWAs annually attest to maintaining disaster\npreparedness plans, ETA did not conduct specific verification to ensure the validity of\nthe SWAs\xe2\x80\x99 self attestations.\n\nOur current audit methodology included a detailed assessment of information that was\nsubmitted by the 51 SWAs. We performed a review of documentary evidence at OIG\noffices using an analytical tool consisting of a spreadsheet designed to segregate and\ncategorize the information received. Data reliability tests were not performed as this\nwas a performance audit that analyzed the content of contingency plans. The nature of\nthe audit did not require any reliance on the validity of system generated data.\n\nResponses submitted from the SWAs consisted of bundled information containing one\nor more plan(s) or related document(s). Each of those documents were analyzed\nindividually by the auditors using a separate spreadsheet for each plan for the purpose\nof determining which elements are present in the different plans. For each SWA, a\nconclusion was made as a whole incorporating all factors being assessed.\n\nThe necessity to assess multiple plans was due to overlap in the definition of what\nconstitutes an IT contingency plan. According to NIST SP 800-34, there are several\ntypes of plans that are related to IT contingency planning.\n\n       IT contingency planning represents a broad scope of activities designed to\n       sustain and recover critical IT services following an emergency. IT\n       contingency planning fits into a much broader emergency preparedness\n       environment that includes organizational and business process continuity\n       and recovery planning. Ultimately, an organization would use a suite of\n       plans to properly prepare response, recovery, and continuity activities for\n       disruptions affecting the organization\xe2\x80\x99s IT systems, business processes,\n       and the facility. Because there is an inherent relationship between an IT\n       system and the business process it supports, there should be coordination\n       between each plan during development and updates to ensure that\n       recovery strategies and supporting resources neither negate each other\n       nor duplicate efforts.\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              30                  Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n        In general, universally accepted definitions for IT contingency planning\n        and these related planning areas have not been available. Occasionally,\n        this unavailability has led to confusion regarding the actual scope and\n        purpose of various types of plans.\n\nNIST SP 800-34 provides a description as a common basis of understanding for these\ndifferent types of plans. However, because of the lack of standard definitions for these\ntypes of plans, the scope of actual plans developed by organizations may vary from the\ndescriptions as defined by NIST SP 800-34. As such, our analysis took into\nconsideration all information submitted by the SWAs in determining which elements\nwere incorporated in the information provided.\n\nNIST SP 800-34 goes on to define Disaster Recovery Plans (DRP) as follows:\n\xe2\x80\x9cFrequently, DRP refers to an IT-focused plan designed to restore operability of the\ntarget system, application, or computer facility at an alternate site after an emergency.\xe2\x80\x9d\n\nConsequently, the information submitted by the UI jurisdictions was only considered to\nthe extent that it related to information technology. If a document was submitted that\ncontained an element, such as a description of the scope, it needed to address the\nscope as it pertained to computer systems, as opposed to something like building\nsecurity.\n\nSpecifically, the analysis was based on section four of NIST SP 800-34, which deals\nwith IT contingency plan development. This section serves as a guide in deriving a plan\nformat that incorporates elements of contingency planning. This guide identifies five\nmain components of the contingency plan. Those components are the (1) supporting\ninformation, (2) notification/activation phase, (3) recovery phase, (4) reconstitution\nphase, and (5) the plan appendices. We further identified 17 plan elements within the 5\nmain components to assess. We placed special emphasis on the existence of four\nelements, in our judgment, that are critical to ensuring a plan is actionable. These\nelements include:\n\n    \xe2\x80\xa2   Line of Succession,\n    \xe2\x80\xa2   Detailed Recovery Procedures,\n    \xe2\x80\xa2   Contact information of Contingency Planning (CP) Teams, and\n    \xe2\x80\xa2   Reconstitution Phase Procedures.\n\nThe 17 plan elements within the five main components of the contingency plan are as\nfollows:\n\n\xe2\x80\xa2   Supporting Information\n    1. Purpose\n    2. Applicability\n    3. Scope\n    4. Record of Changes\n    5. System Description\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              31                  Report No. 23-09-002-03-315\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n    6. Line of Succession\n    7. Responsibilities\n\n\xe2\x80\xa2   Notification Phase\n    8. Activation Criteria\n    9. Documented Notification Procedures\n    10. Damage Assessment\n\xe2\x80\xa2   Recovery Phase\n    11. Detailed Recovery Procedures\n\n\xe2\x80\xa2   Reconstitution Phase\n    12. Reconstitution Phase Procedures\n\n\xe2\x80\xa2   Plan Appendices\n    13. Contact Information of CP Teams\n    14. Vendor Contact Information\n    15. Checklist for System Recovery\n    16. Equipment/System Requirements Lists\n    17. Description/Direction to Alternative Sites\n\nWe analyzed the SWAs\xe2\x80\x99 submissions to determine the extent to which they included the\n17 plan elements, and whether the documentation represented an IT plan in and of\nitself. We tabulated our conclusions in terms of whether the plan included, did not\ninclude, or partially included these elements.\n\nWe did not observe SWA personnel activities, perform operational security tests, or\ninterview management or staff involved in the implementation and management of the\ndisaster recovery capability at the SWAs. We based our conclusions solely on evidence\nprovided by the SWAs.\n\nWe determined the risk of each SWA UI system based on historical data and\nprofessional judgment regarding frequency of disasters declared in each state from\nFEMA, as shown in the following table:\n\n\n\n\n                                                              UI Systems\xe2\x80\x99 IT Contingency Plans\n                                              32                  Report No. 23-09-002-03-315\n\x0c                                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                                      FEMA Number of Disasters Declared by State/Territory\n                                                         1953-2008\n\n                                                               Number of Disasters Declared\n                                  0   10       20         30            40      50            60   70     80      90\n\n                        Texas\n                    California\n                       Florida\n                   Oklahoma\n                    New York\n                    Louisiana\n                    Kentucky\n                     Alabama\n                     Missouri\n                       Illinois\n                    Arkansas\n                  Mississippi\n                          Ohio\n               Pennsylvania\n               West Virginia\n                 Washington\n                   Minnesota\n                      Virginia\n                  Tennessee\n                    Nebraska\n                      Kansas\n    State/Territory\n\n\n\n\n                          Iowa\n               North Dakota\n              North Carolina\n                      Indiana\n                        Maine\n                      Georgia\n                   Wisconsin\n                       Alaska\n               South Dakota\n                     Vermont\n                      Oregon\n                     Michigan\n                 New Jersey\n                       Hawaii\n            New Hampshire\n                 Puerto Rico\n                 New Mexico\n             Massachusetts\n                        Idaho\n                      Arizona\n                     Montana\n                    Maryland\n                      Nevada\n                    Colorado\n             South Carolina\n          US Virgin Islands\n                 Connecticut\n                    Delaware\n                    Wyoming\n                          Utah\n               Rhode Island\n        District of Columbia\n\n\n\n\nFigure 1: Based on FEMA Number of Disasters Declared by State/Territory.\n\n\n                                                                                       UI Systems\xe2\x80\x99 IT Contingency Plans\n                                                                   33                      Report No. 23-09-002-03-315\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nCriteria\n\n   \xe2\x80\xa2   Social Security Act of 1935\n\n   \xe2\x80\xa2   20 CFR 602.00 (2008)\n\n   \xe2\x80\xa2   UI Annual Funding Agreement\n\n   \xe2\x80\xa2   ETA Handbook No. 336: UI SQSP Handbook\n\n   \xe2\x80\xa2   NIST SP 800-34, Contingency Planning for Information Technology Systems\n\n   \xe2\x80\xa2   OMB A-123: Management\xe2\x80\x99s Responsibility for Internal Control\n\n   \xe2\x80\xa2   FEMA, Declared Disasters by Year or State, as of December 15, 2008\n\n   \xe2\x80\xa2   UIPL Number 24-04: UI IT Security\n\n\n\n\n                                                             UI Systems\xe2\x80\x99 IT Contingency Plans\n                                             34                  Report No. 23-09-002-03-315\n\x0c                                   U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                           Appendix C\nAcronyms and Abbreviations\n\nA-123       OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control,\n            Introduction\n\nCFR         Code of Federal Regulations\nCIO         Chief Information Officer\nCOOP        Continuity of Operations Plan\nCP          Contingency Planning\nDOL         United States Department of Labor\nDRP         Disaster Recovery Plans\nETA         Employment and Training Administration\nFEMA        Federal Emergency Management Agency\nIT          Information Technology\nNIST        National Institute of Standards and Technology\nOIG         Office of Inspector General\nOMB         Office of Management and Budget\nSP          Special Publication\nSQSP        State Quality Service Plan\nSWA         State Workforce Agency\nUI          Unemployment Insurance\nUIPL        Unemployment Insurance Program Letter\nUI Systems UI Tax and Benefit Systems\nY2K         Year 2000\n\n\n\n\n                                                           UI Systems\xe2\x80\x99 IT Contingency Plans\n                                            35                 Report No. 23-09-002-03-315\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                                 UI Systems\xe2\x80\x99 IT Contingency Plans\n                 36                  Report No. 23-09-002-03-315\n\x0c                                  U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                           Appendix D\nAgency Response to Draft Report\n\n\n\n\n                                                          UI Systems\xe2\x80\x99 IT Contingency Plans\n                                          37                  Report No. 23-09-002-03-315\n\x0cU. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                        UI Systems\xe2\x80\x99 IT Contingency Plans\n        38                  Report No. 23-09-002-03-315\n\x0cU. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                        UI Systems\xe2\x80\x99 IT Contingency Plans\n        39                  Report No. 23-09-002-03-315\n\x0cTO REPORT FRAUD, WASTE, OR ABUSE, PLEASE CONTACT:\n\nOnline:      http://www.oig.dol.gov/hotlineform.htm\nEmail:       hotline@oig.dol.gov\n\nTelephone:   1-800-347-3756\n             202-693-6999\n\nFax:         202-693-7020\n\nAddress:     Office of Inspector General\n             U.S. Department of Labor\n             200 Constitution Avenue, N.W.\n             Room S-5506\n             Washington, D.C. 20210\n\x0c"